On lattices, learning with errors, random linear codes, and cryptography

Research output: Contribution to journalArticle

Abstract

Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the learning from parity with error problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GapSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., nonquantum). We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GapSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryptosystems: the public key is of size (n 2) and encrypting a message increases its size by a factor of (n) (in previous cryptosystems these values are (n 4) and (n 2), respectively). In fact, under the assumption that all parties share a random bit string of length (n 2), the size of the public key can be reduced to (n).

Original languageEnglish (US)
Article number1568324
JournalJournal of the ACM
Volume56
Issue number6
DOIs
StatePublished - Sep 1 2009

Fingerprint

Random errors
Cryptography
Hardness
Decoding

Keywords

  • Average-case hardness
  • Cryptography
  • Lattice
  • Public key encryption
  • Quantum computation

ASJC Scopus subject areas

  • Hardware and Architecture
  • Software
  • Artificial Intelligence
  • Information Systems
  • Control and Systems Engineering

Cite this

On lattices, learning with errors, random linear codes, and cryptography. / Regev, Oded.

In: Journal of the ACM, Vol. 56, No. 6, 1568324, 01.09.2009.

Research output: Contribution to journalArticle

@article{c0d19d342c954c92964483e29da4a9fd,
title = "On lattices, learning with errors, random linear codes, and cryptography",
abstract = "Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the learning from parity with error problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GapSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., nonquantum). We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GapSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryptosystems: the public key is of size (n 2) and encrypting a message increases its size by a factor of (n) (in previous cryptosystems these values are (n 4) and (n 2), respectively). In fact, under the assumption that all parties share a random bit string of length (n 2), the size of the public key can be reduced to (n).",
keywords = "Average-case hardness, Cryptography, Lattice, Public key encryption, Quantum computation",
author = "Oded Regev",
year = "2009",
month = "9",
day = "1",
doi = "10.1145/1568318.1568324",
language = "English (US)",
volume = "56",
journal = "Journal of the ACM",
issn = "0004-5411",
publisher = "Association for Computing Machinery (ACM)",
number = "6",

}

TY - JOUR

T1 - On lattices, learning with errors, random linear codes, and cryptography

AU - Regev, Oded

PY - 2009/9/1

Y1 - 2009/9/1

N2 - Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the learning from parity with error problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GapSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., nonquantum). We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GapSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryptosystems: the public key is of size (n 2) and encrypting a message increases its size by a factor of (n) (in previous cryptosystems these values are (n 4) and (n 2), respectively). In fact, under the assumption that all parties share a random bit string of length (n 2), the size of the public key can be reduced to (n).

AB - Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the learning from parity with error problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GapSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., nonquantum). We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GapSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryptosystems: the public key is of size (n 2) and encrypting a message increases its size by a factor of (n) (in previous cryptosystems these values are (n 4) and (n 2), respectively). In fact, under the assumption that all parties share a random bit string of length (n 2), the size of the public key can be reduced to (n).

KW - Average-case hardness

KW - Cryptography

KW - Lattice

KW - Public key encryption

KW - Quantum computation

UR - http://www.scopus.com/inward/record.url?scp=70349309809&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70349309809&partnerID=8YFLogxK

U2 - 10.1145/1568318.1568324

DO - 10.1145/1568318.1568324

M3 - Article

VL - 56

JO - Journal of the ACM

JF - Journal of the ACM

SN - 0004-5411

IS - 6

M1 - 1568324

ER -